rpms / iproute

Clone
Source Code
GIT

Blame SOURCES/0028-libnetlink-fix-use-after-free-of-message-buf.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta c9s-sig-hyperscale
  1.   8def76bf770ade4ca2b94b0d3f702f120c1553ab
  2.   SOURCES
  3.   0028-libnetlink-fix-use-after-free-of-message-buf.patch
Blob History Raw
930fb9 
From e7c11266309ffa65143455ceefc17fe92d93511c Mon Sep 17 00:00:00 2001
930fb9 
From: Phil Sutter <psutter@redhat.com>
930fb9 
Date: Thu, 25 Oct 2018 12:24:30 +0200
930fb9 
Subject: [PATCH] libnetlink: fix use-after-free of message buf
930fb9
930fb9 
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1602555
930fb9 
Upstream Status: iproute2.git commit 8c50b728b226f
930fb9
930fb9 
commit 8c50b728b226f6254251282697ce38a72639a6fc
930fb9 
Author: Vlad Buslov <vladbu@mellanox.com>
930fb9 
Date:   Mon Oct 8 23:52:26 2018 +0300
930fb9
930fb9 
    libnetlink: fix use-after-free of message buf
930fb9
930fb9 
    In __rtnl_talk_iov() main loop, err is a pointer to memory in dynamically
930fb9 
    allocated 'buf' that is used to store netlink messages. If netlink message
930fb9 
    is an error message, buf is deallocated before returning with error code.
930fb9 
    However, on return err->error code is checked one more time to generate
930fb9 
    return value, after memory which err points to has already been
930fb9 
    freed. Save error code in temporary variable and use the variable to
930fb9 
    generate return value.
930fb9
930fb9 
    Fixes: c60389e4f9ea ("libnetlink: fix leak and using unused memory on error")
930fb9 
    Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
930fb9 
    Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
930fb9 
---
930fb9 
 lib/libnetlink.c | 3 ++-
930fb9 
 1 file changed, 2 insertions(+), 1 deletion(-)
930fb9
930fb9 
diff --git a/lib/libnetlink.c b/lib/libnetlink.c
930fb9 
index f18dcea..a9932d4 100644
930fb9 
--- a/lib/libnetlink.c
930fb9 
+++ b/lib/libnetlink.c
930fb9 
@@ -656,6 +656,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
930fb9
930fb9 
 			if (h->nlmsg_type == NLMSG_ERROR) {
930fb9 
 				struct nlmsgerr *err = (struct nlmsgerr *)NLMSG_DATA(h);
930fb9 
+				int error = err->error;
930fb9
930fb9 
 				if (l < sizeof(struct nlmsgerr)) {
930fb9 
 					fprintf(stderr, "ERROR truncated\n");
930fb9 
@@ -679,7 +680,7 @@ static int __rtnl_talk_iov(struct rtnl_handle *rtnl, struct iovec *iov,
930fb9 
 				else
930fb9 
 					free(buf);
930fb9
930fb9 
-				return err->error ? -i : 0;
930fb9 
+				return error ? -i : 0;
930fb9 
 			}
930fb9
930fb9 
 			if (answer) {
930fb9 
--
930fb9 
1.8.3.1
930fb9

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation